Chapter 1 Product Overview

This chapter provides an overview of the features of Sun™ ONE Identity Server. It contains the following sections:

Sun ONE Identity Server

Sun ONE Identity Server technology is part of the Sun Open Net Environment (Sun ONE) Platform for Network Identity. Identity Server is a set of tools used to leverage the management and security potential of Sun ONE Directory Server, the Lightweight Directory Access Protocol-based (LDAP) data store. Identity Server integrates Directory Server with a user authentication and single sign-on function which increases data security. It also allows administrators to initiate user entry management based on roles, an entry grouping mechanism which appears as an attribute in a user entry. Lastly, developers can define and manage the configuration parameters of a multitude of default and custom-made services. All three of these functions are accessed through a customizable graphical user interface, the browser-based Identity Server console.

Features of Identity Server

Identity Server is built on top of an installation of Directory Server. The concept is to give directory administrators a more consistent and intuitive interface to work from as well as features used to extend the capabilities of Directory Server.

Service Configuration

Configuration parameters for default and custom-made business services can be specified with Identity Server service management component. Using XML and the DTD defined within the Identity Server framework, service developers can define the parameters of a corporate service (such as a mail service, a billing service or a logging service) and manage the service’s parameters or attributes. In addition, Identity Server allows service administrators to define the value of these attributes.

Policy Management

Identity Server also provides a method to define, modify or remove the rules that control access to business resources. Collectively, these rules are referred to as policy.

SAML

Identity Server uses the Security Assertion Markup Language (SAML) for exchanging security information. SAML defines an eXtensible Markup Language (XML) framework to achieve inter-operability across different vendor platforms that provide this type of information. The SAML framework is described in the Sun ONE Identity Server Customization and API Guide.

Federation Management

Identity Server has integrated a Federation Management module to make use of the open standards for federated network identity being developed by the Liberty Alliance Project.

Authentication

Identity Server provides a plug-in solution for user authentication. The criteria needed to authenticate a particular user is based on the authentication service configured for each organization in the Identity Server enterprise. Before being allowed access to a Identity Server session, a user must pass through authentication successfully.

Single Sign-On

Once the user is authenticated, Identity Server’s API for Single Sign-On (SSO) takes over. Each time the authenticated user tries to access a protected page, the SSO API determines whether the user has the permissions required based on the user’s authentication credentials. If the user is valid, access to the page is given without additional authentication. If not, the user will be prompted to authenticate again.

Policy Agents

The Policy Agents are installed onto a web container (Sun ONE Web Server or Sun ONE Application Server). It is a specific instance of the Identity Server policy component. This agent serves as an additional authentication step when a user sends a request for a web resource that lives on the protected web server. This authentication is in addition to any user authentication check which the resource must do. The agent protects the web server; the resource is protected by the authentication plug-in.

Identity Management

The Identity Management component allows for the creation and management of identity-related objects. User, role, group, policies, organization, suborganization and container objects can be defined, modified or deleted using either the Identity Server console or the command line interface. The console has default administrators with varying degrees of privileges used to create and manage the organizations, groups, containers, users, services, and policies. (Additional administrators can be created based on roles.) The administrators are defined within the Directory Server when installed with Identity Server. These administrators are:

Top-level Administrator with read and write access to all entries within the Identity Server enterprise.

Top-level Help Desk Administrator with read access to all entries within the Identity Server enterprise and write access to user password attributes.

Organization Administrator with read and write access to all entries within its organization.

Organization Help Desk Administrator with read access to all entries within its organization.

Container Administrator with read and write access to all Group Administrator with read and write access to all members of its group.

The Identity Server Console

The Identity Server console is divided into three sections: the Location frame, the Navigation frame and the Data frame. By using all three frames, the administrator is able to navigate the directory, perform user and service configurations and create policies.

Header Frame

The Header frame runs along the top of the console. The tabs in the Header frame allow the administrator to switch between the different management module views:

Identity Management module - allows for the creation and management of identity-related objects.

Service Configuration module - allows for the configuration of Identity Server’s default services.

Current Sessions module - allows administrators to view current session information, as well as terminating any session.

Federation Management module - allows for the utilization of the open standards for federated network identity being developed by the Liberty Alliance Project.

The Location field provides a trail to the administrator’s position in the directory tree. This path is used for navigational purposes.

The Welcome field displays the name of the user that is currently running the console with a link to the user profile.

The Search link displays an interface that allows the user to search for entries of a specific Identity Server object type. Use the pull-down menu to select the object type and enter the search string.The Results are returned in the search table. Wildcards are accepted.

The Help link opens a browser window containing information on Identity Management, Current Sessions, Federation Management and Part 3 of this documentation, the Attribute Reference Guide.

Navigation Frame

The Navigation frame is the left portion of the Identity Server console. The Directory Object portion (within the grey box) displays the name of the directory object that is currently open and its Properties link. (Most objects displayed in the Navigation frame will have a corresponding Properties link. Selecting this link will render the entry’s attributes in the Data frame to the right.) The View menu lists the directories under the selected directory object. Depending on the number of sub-directories, a paging mechanism is provided.

Data Frame

The Data frame is the right portion of the console. This is where all object attributes and their values are displayed and configured and where entries are selected for their respective group, role or organization.



Tip	You can select or deselect all of the items in a list by clicking the Select All, or Deselect All icons.